procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

trapping fake hotmail

2002-01-02 10:01:23
from [Paul Chvostek] [Permanent Link] 

Heya.

How does this look?

        :0
        *       ^From: ".+" <[a-z0-9_(_dot_)-]+(_at_)hotmail\(_dot_)com>
        *       ^X-Keywords:
        *       ^X-OriginalArrivalTime:
        *       ^X-UID: [0-9]+$
        *       ^Content-Length: [0-9]+$
        *       ^Lines: [0-9]+$
        *       ^From:(_dot_)+(_at_)(_dot_)
        *       ^X-Originating-IP: \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+]
        *       ^Received: from hotmail.com (\/...
        * $     ^Message-ID: <${MATCH}(_dot_)+(_at_)hotmail\(_dot_)com>
        { }

        :0 fwE
        *       ^From:(_dot_)+(_at_)hotmail\(_dot_)com\>
        | formail -A "X-spamtrap: fake hotmail"

The interesting part is the last two conditions of the first recipe.  It
seems that every *legitimate* hotmail message I've received in the last
few months has the first three characters of the mail server hostname
turn up in upper case at the beginning of the Message-ID.

Feedback?


-- 
  Paul Chvostek                                             
<paul(_at_)it(_dot_)ca>
  Operations / Development / Abuse / Whatever       vox: +1 416 598-0000
  IT Canada                                            http://www.it.ca/

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Replacing the default Solaris 8 mda with procmail, Matt Carter
Next by Date:  Re: trapping fake hotmail, David W. Tamkin
Previous by Thread:  Replacing the default Solaris 8 mda with procmail, Matt Carter
Next by Thread:  Re: trapping fake hotmail, David W. Tamkin
Indexes:  [Date] [Thread] [Top] [All Lists]